Jakub Hrozek wrote:
On Thu, Apr 17, 2014 at 02:22:18PM +0200, Michael Ströder wrote:
> On Thu, 17 Apr 2014 12:44:57 +0200 "Michael Ströder"
<michael(a)stroeder.com>
> wrote
>> I can see substring filters like this in my LDAP logs:
>>
>> [..] (|(sudoHost=*\5C*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))
>>
>> (stripped the lenghty filter)
>>
>> Is this sssd asking for sudoRole entries?
>
> Hmm, clarified with the sysadmin to use:
>
> ldap_sudo_use_host_filter = false
>
> IMHO this should be the default because substring searches like above are
> really stupid.
Did you sanitize the filter before sending it to the list? I would have
expected the filter to include your machine's host name..
Yes, it was shortened - indicated above by [..].
And no, it's not stupid, the intent is to download only rules
that apply
to the particular machine.
Ok, let's look at the complete filter as multi-line representation (replaced
real names and addresses):
(&
(&
(objectClass=sudoRole)
(modifyTimestamp>=20140217143850Z)
(!(modifyTimestamp=20140217143850Z))
)
(|
(!(sudoHost=*))
(sudoHost=ALL)
(sudoHost=foo)
(
sudoHost=foo.example.com)
(sudoHost=192.168.42.220)
(sudoHost=192.168.42.0/24)
(sudoHost=+*)
(|
(sudoHost=*\5C*)
(sudoHost=*?*)
(sudoHost=*\2A*)
(sudoHost=*[*]*)
)
)
)
No problem with the exact searches if you have an eq-index for 'sudoHost'.
But the substring searches are using less than 3 chars. Therefore even with a
sub-index on 'sudoHost' this would never be used. Ok, in this case above the
eq-indexing on 'objectClass' and ordering-indexing on 'modifyTimestamp'
reduces the number of search candidates.
=> I'd strongly vote for this default:
ldap_sudo_use_host_filter = false
In my case I will disable SUBSTR matching rule for 'sudoHost' on the LDAP
server since it's of no use in my setup.
Ciao, Michael.